CefShutdown crashes due to corrupted head with remote debugging port specified

GoogleCodeExporter commented 9 years ago

What steps will reproduce the problem?
1. Compile cefclient and launch it with remote-debugging-port enabled.
2. Close the window.

What is the expected output? What do you see instead?

CefShutdown should finish without any kind of issue, instead it crashes in 
allocator_shim_win.cc due to heap corruption.

What version of the product are you using? On what operating system?
CEF3 branch 2272 VS2013u4 on Windows 8.1

Please provide any additional information below.

This crash also happen when using a minimal cef initialization, calling 
CefInitialize with the port specified and then calling CefShutdown also gives 
the same error.

Original issue reported on code.google.com by lambdace...@gmail.com on 1 Mar 2015 at 3:20

GoogleCodeExporter commented 9 years ago

Here's the report using ASan on Linux at trunk revision 2040:

$ ./out/Release/cefclient --remote-debugging-port=8088 2>&1 | 
tools/valgrind/asan/asan_symbolize.py

=================================================================
==3051==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000013558 
at pc 0x7f97f3c5bdfd bp 0x7fff9cee8140 sp 0x7fff9cee8138
WRITE of size 8 at 0x602000013558 thread T0 (cefclient)
    #0 0x7f97f3c5bdfc in reset /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/memory/scoped_ptr.h:248:5
    #1 0x7f97f3c5bdfc in reset /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/memory/scoped_ptr.h:376:0
    #2 0x7f97f3c5bdfc in CefDevToolsDelegate::Stop() /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef/browser/devtools_delegate.cc:153:0
    #3 0x7f97f3c1486e in CefBrowserMainParts::PostMainMessageLoopRun() /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef/browser/browser_main.cc:149:5
    #4 0x7f97fb5d0249 in content::BrowserMainLoop::ShutdownThreadsAndCleanUp() /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/browser_main_loop.cc:837:5
    #5 0x7f97fb5d77f5 in content::BrowserMainRunnerImpl::Shutdown() /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/browser_main_runner.cc:244:7
    #6 0x7f97f3d34431 in CefMainDelegate::ShutdownBrowser() /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef/common/main_delegate.cc:573:5
    #7 0x7f97f3c3e6db in CefContext::FinalizeShutdown() /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef/browser/context.cc:390:3
    #8 0x7f97f3c3db00 in CefContext::Shutdown() /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef/browser/context.cc:316:5
    #9 0x7f97f3c3d70f in CefShutdown() /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef/browser/context.cc:141:3
    #10 0x4ea072 in client::MainContextImpl::Shutdown() /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/tests/cefclient/browser/main_context_impl.cc:100:3
    #11 0x4c3fb5 in RunMain /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/tests/cefclient/cefclient_gtk.cc:127:3
    #12 0x4c3fb5 in main /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/tests/cefclient/cefclient_gtk.cc:142:0
    #13 0x7f97ed375ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287:0

0x602000013558 is located 8 bytes inside of 16-byte region 
[0x602000013550,0x602000013560)
freed by thread T0 (cefclient) here:
    #0 0x4a2049 in operator delete(void*) ??:0:0
    #1 0x7f97fb610117 in operator() /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/memory/scoped_ptr.h:127:5
    #2 0x7f97fb610117 in ~scoped_ptr_impl /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/memory/scoped_ptr.h:221:0
    #3 0x7f97fb610117 in ~scoped_ptr /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/memory/scoped_ptr.h:311:0
    #4 0x7f97fb610117 in content::(anonymous namespace)::DevToolsHttpHandlerImpl::~DevToolsHttpHandlerImpl() /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/devtools/devtools_http_handler_impl.cc:514:0
    #5 0x7f97fb6102fd in content::(anonymous namespace)::DevToolsHttpHandlerImpl::~DevToolsHttpHandlerImpl() /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/devtools/devtools_http_handler_impl.cc:509:53
    #6 0x7f97f3c5bdd6 in operator() /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/memory/scoped_ptr.h:127:5
    #7 0x7f97f3c5bdd6 in reset /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/memory/scoped_ptr.h:247:0
    #8 0x7f97f3c5bdd6 in reset /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/memory/scoped_ptr.h:376:0
    #9 0x7f97f3c5bdd6 in CefDevToolsDelegate::Stop() /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef/browser/devtools_delegate.cc:153:0
    #10 0x7f97f3c1486e in CefBrowserMainParts::PostMainMessageLoopRun() /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef/browser/browser_main.cc:149:5
    #11 0x7f97fb5d0249 in content::BrowserMainLoop::ShutdownThreadsAndCleanUp() /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/browser_main_loop.cc:837:5
    #12 0x7f97fb5d77f5 in content::BrowserMainRunnerImpl::Shutdown() /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/browser_main_runner.cc:244:7
    #13 0x7f97f3d34431 in CefMainDelegate::ShutdownBrowser() /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef/common/main_delegate.cc:573:5
    #14 0x7f97f3c3e6db in CefContext::FinalizeShutdown() /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef/browser/context.cc:390:3
    #15 0x7f97f3c3db00 in CefContext::Shutdown() /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef/browser/context.cc:316:5
    #16 0x7f97f3c3d70f in CefShutdown() /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef/browser/context.cc:141:3
    #17 0x4ea072 in client::MainContextImpl::Shutdown() /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/tests/cefclient/browser/main_context_impl.cc:100:3
    #18 0x4c3fb5 in RunMain /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/tests/cefclient/cefclient_gtk.cc:127:3
    #19 0x4c3fb5 in main /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/tests/cefclient/cefclient_gtk.cc:142:0
    #20 0x7f97ed375ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287:0

previously allocated by thread T0 (cefclient) here:
    #0 0x4a1ac9 in operator new(unsigned long) ??:0:0
    #1 0x7f97f3c145ab in CefBrowserMainParts::PreMainMessageLoopRun() /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef/browser/browser_main.cc:139:7
    #2 0x7f97fb5cf819 in content::BrowserMainLoop::PreMainMessageLoopRun() /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/browser_main_loop.cc:791:5
    #3 0x7f97fbce5a08 in Run /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/callback.h:396:12
    #4 0x7f97fbce5a08 in content::StartupTaskRunner::RunAllTasksNow() /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/startup_task_runner.cc:45:0
    #5 0x7f97fb5cbd31 in content::BrowserMainLoop::CreateStartupTasks() /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/browser_main_loop.cc:689:3
    #6 0x7f97fb5d706d in content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const&) /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/browser_main_runner.cc:188:5
    #7 0x7f97f3d33e43 in CefMainDelegate::RunProcess(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&) /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef/common/main_delegate.cc:517:23
    #8 0x7f97fd33c279 in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/app/content_main_runner.cc:410:25
    #9 0x7f97fd33d4d8 in content::ContentMainRunnerImpl::Run() /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/app/content_main_runner.cc:803:12
    #10 0x7f97f3c3d2e4 in CefContext::Initialize(CefMainArgs const&, CefStructBase<CefSettingsTraits> const&, CefRefPtr<CefApp>, void*) /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef/browser/context.cc:276:15
    #11 0x7f97f3c3cc00 in CefInitialize(CefMainArgs const&, CefStructBase<CefSettingsTraits> const&, CefRefPtr<CefApp>, void*) /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef/browser/context.cc:123:10
    #12 0x7f97f3aeea61 in cef_initialize /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef_dll/libcef_dll.cc:171:18
    #13 0x541c88 in CefInitialize(CefMainArgs const&, CefStructBase<CefSettingsTraits> const&, CefRefPtr<CefApp>, void*) /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef_dll/wrapper/libcef_dll_wrapper.cc:163:17
    #14 0x4e9d98 in client::MainContextImpl::Initialize(CefMainArgs const&, CefStructBase<CefSettingsTraits> const&, CefRefPtr<CefApp>, void*) /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/tests/cefclient/browser/main_context_impl.cc:80:8
    #15 0x4c3d69 in RunMain /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/tests/cefclient/cefclient_gtk.cc:100:3
    #16 0x4c3d69 in main /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/tests/cefclient/cefclient_gtk.cc:142:0
    #17 0x7f97ed375ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287:0

Original comment by magreenb...@gmail.com on 3 Mar 2015 at 6:36

Changed state: Accepted

GoogleCodeExporter commented 9 years ago

Fixed in trunk revision 2041 ans 2272 branch revision 2042.

Original comment by magreenb...@gmail.com on 3 Mar 2015 at 6:42

Changed state: Fixed

GoogleCodeExporter commented 9 years ago

Issue 1516 has been merged into this issue.

Original comment by magreenb...@gmail.com on 3 Mar 2015 at 7:06

roadlabs / chromiumembedded

CefShutdown crashes due to corrupted head with remote debugging port specified #1557